Bug 1848850 (CVE-2020-12063)

Summary: CVE-2020-12063 postfix: an attacker may send an email from an arbitrary-looking sender via a homoglyph attack
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jskarvad, olysonek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
For some of the Postfix configurations, the remote user can send e-mails pretending to be someone else (or even using non-existing user name with some homoglyph characters). One of the discussed problems that Postfix params "smtpd_sender_login_maps" and "smtpd_sender_restrictions" looks useless because works only for authorized users and attacker could get round with anonymous sending e-mails to any local user. The described issue should not be considered as security issue, so it is "DISPUTED".
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-20 19:27:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1848851    

Description Marian Rehak 2020-06-19 05:11:07 UTC 
A certain Postfix 2.10.1-7 package could allow an attacker to send an email from an arbitrary-looking sender via a homoglyph attack, as demonstrated by the similarity of \xce\xbf to the 'o' character. This is potentially relevant when the /etc/postfix/sender_login feature is used, because a spoofed outbound message that uses a configured sender address is blocked with a "Sender address rejected: not logged in" error message, but a spoofed outbound message that uses a homoglyph of a configured sender address is not blocked.

Openwall Information:

https://www.openwall.com/lists/oss-security/2020/04/23/12
Comment 1 Marian Rehak 2020-06-19 05:11:51 UTC 
Dispute note:
Some third parties argue that any missed blocking of spoofed outbound messages - except for exact matches to a sender address in the /etc/postfix/sender_login file - is outside the design goals of Postfix and thus cannot be considered a Postfix vulnerability.
Comment 2 Alex 2020-07-20 13:51:17 UTC 
The CVE created incorrectly, because postfix works as designed and allows to prevent the described problem with some configuration (example of such configuration below).
Any version of postfix if configured both for inbound and outbound e-mails, allows to send e-mails by any unauthorized users to the local users (and relaying usually disabled by configuration, so only to local users).
This is by design of SMTP protocol: "SMTP forging cannot be prevented, and the underlying protocol was not designed with security in mind" (taken from https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address ).
The described problem is that it is possible to control MAIL FROM for authorized users (using params "smtpd_sender_login_maps" and "smtpd_sender_restrictions" of postfix configuration), but not possible to control content of MAIL FROM for unauthorized users.
However, the workaround to fix the described problem is the usage of this postfix configuration (so this suggested below configuration both disables possibility of non-existing user names for particular domain mail.mydomain.com and both enables check that authorized users uses only their username as sender field):

smtpd_sender_restrictions =
    check_sender_access texthash:/etc/postfix/sender_access
    reject_sender_login_mismatch
    reject_unknown_sender_domain

with the content of file /etc/postfix/sender_access:

cat /etc/postfix/sender_access
mail.mydomain.com reject_unverified_sender


However, even this configuration prevents problem described by CVE-2020-12063, it still allows anonymous (non-authorized) e-mail pretend to be from any existing user to another existing user.
Comment 6 Alex 2020-07-20 16:47:32 UTC 
Mitigation:

The described problem could be prevented with the usage of the postfix configuration param check_sender_access (part of smtpd_sender_restrictions) for domain names being used for receiving e-mails with param reject_unverified_sender for each of these domains.

The related part of postfix configuration example:

smtpd_sender_login_maps = texthash:/etc/postfix/sender_login
smtpd_sender_restrictions =
    check_sender_access texthash:/etc/postfix/sender_access
    reject_sender_login_mismatch
    reject_unknown_sender_domain

and the content of the file /etc/postfix/sender_access would be:

mail.mydomain.com reject_unverified_sender

and the content of the file /etc/postfix/sender_login would be:

username.com username.com
Comment 7 Product Security DevOps Team 2020-07-20 19:27:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12063
Comment 8 Alex 2020-08-06 18:09:27 UTC 
Statement:

Red Hat Product Security does not consider this to be a vulnerability. The described problem is problem of possibly incorrect Postfix configuration, but not bug of Postfix itself. Both no way to totally resolve the described in CVE problem, because it is how SMTP protocol designed. Means that SMTP protocol allows some SPAM or forging e-mails and no way to prevent it totally, but if configuring Postfix well, then possible to make it more strict (less SPAM and less forging).
Comment 9 Alex 2020-08-06 18:09:29 UTC 
External References:

https://seclists.org/oss-sec/2020/q2/59
https://seclists.org/oss-sec/2020/q2/65
https://seclists.org/oss-sec/2020/q2/66